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1. INTRODUCTION 

Wireless sensor networks (WSNs) can be used to perform real-time monitoring in various 
environments. Networked sensors can easily be stationed in various environments (e.g., for forest detection 
and harmful gas monitoring) [1]. Generally, the gateway node has sufficient power and capacity, while the 
wireless sensors lack sufficient CPU power, memory, computational capability, and storage capacity. 
Therefore, generally, a user needs to connect with sensors directly to acquire the sensed data [2]. Considering 
the resources of sensors, the user authentication protocol for WSNs should be efficient in terms of 
computation cost. Therefore, the power consumption of the cryptographic algorithms used should be reduced 
while addressing the security requirements. To resolve the difficulty of designing a secure two-factor 
authentication protocol, a privacy-aware two-factor protocol that addressed various security problems with 
the resource sensors and sensed data was designed in [3]. 

In 2009, Das first applied two-factor authentication combining the password and smart card to solve 
the security problems of WSNs. It presented a new direction for user authentication for WSNs [4]. However, 
the authentication protocol Das proposed does not provide user anonymity, session key negotiation, or 
mutual authentication. In addition, it is vulnerable to several attacks, such as gateway node bypassing, offline 
password guessing, sensor node capture, and denial-of-service attacks. Thus, various improved authentication 
protocols for WSNs were proposed to resolve the various security problems [5-7]. In addition, in user 
authentication protocols based on the symmetric key approach, a number of elliptic curve cryptography 
(ECC)-based authentication protocols have been proposed. Yeh et al. found that the protocol of Chen et al. 
does not provide a user password updating mechanism and is vulnerable to insider attacks. Thus, Yeh et al. 
proposed an ECC-based two-factor authentication protocol. However, in Yeh et al.’s scheme, the user and 
sensor cannot mutually authenticate each other [8]. To solve the problems of Yeh et al.’s scheme, Shi et al. 
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proposed an improved ECC-based authentication protocol. Compared with the protocol of Yeh et al., the 
protocol of Shi et al. provides more diverse security features and performs better in terms of computation and 
communication [9]. However, in 2014, Choi et al. revealed that the authentication protocol of Shi et al. is 
vulnerable to unknown key share, stolen smart card, and sensor energy exhausting attacks. To eliminate these 
security weaknesses, they also proposed an enhanced authentication protocol [1]. Unfortunately, the protocol 
of Choi et al. still cannot achieve anonymity and untraceability. To solve the various security weaknesses of 
ECC-based two-factor authentication protocols, Jiang et al. proposed a privacy-aware two-factor 
authentication protocol based on ECC for WSNs. Jiang et al. claim their protocol achieves various security 
and usability features necessary for real-life application environments [2]. However, this paper analyzes 
Jiang et al.’s protocol and shows that it has security vulnerabilities, such as a lack of mutual authentication, a 
risk of SID modification and DoS attacks, a lack of sensor anonymity, and weak ID anonymity. The 
remainder of this paper is organized as follows. Section 2 explains Jiang et al.’s privacy-aware two-factor 
authentication protocol based on ECC for WSNs. Section 3 shows that Jiang et al.’s authentication protocol 
has the security vulnerabilities noted above. Section 4 concludes this paper. 


2. REVIEW OF JIANG ET AL.’ TWO-FACTOR AUTHENTICATION PROTOCOL 

Jiang et al.’s protocol is based on ECC for WSNs. It consists of four phases: registration, login, 
authentication, and password change. Table | shows the notations used in this paper [2]. The ECC provides 
better efficiency than Rivest Shamir and Adleman (RSA), because it can achieve the same security strength 
with a smaller key size. Specifically, the 160-bit ECC and the 1024-bit RSA have the same security strength 
[10], [11]. The elliptic curve equation is defined in the form: E, (a,b) y =x +ax+b ( mod p ) over a prime 
finite field F, , where, b € F, , and 4a? +27b° #0 (mod p ). 


Table 1. Notations 


Notation Description Notation Description 
U; A user GWN A gateway node 
Sj Sensor node SID; Sensor node identity 
H(:) Hash function ID; The identity of U; 
PW; The password of U; TS The current timestamp 
SK; Shared session key PTC; Protected temporal credential of U; 
DID; DIDgwn A dynamic identity of U; and S TC; , TC; Temporal credential of U; and S 
TE; The expiration time of a user’s temporal Kowy.u, Master keys only known to GWN 
credential Kewn-s 
Il The bitwise concatenation K The bitwise exclusive OR 


2.1. Registration Phase 
Prior to starting Jiang et al.’s authentication protocol, GWN selects the finite cyclic additional group 

G generated by a point P with a large prime order n over a finite field F, on an elliptic curve. Then, GWN 

randomly chooses a number x as its private key, computes the corresponding public key y = xP, and 

generates two master secret keys Kowy.v and Keown .s. Then, GWN stores x and produces the system 

parameters {E(F, ), G, P, y}. Figure 1 shows the user registration process. It is assumed that the 

communication channel between the participants is secure. 

(R1-U) When a user U; registers to GWN, U; selects his/her own identity JD; and password PW; and randomly 
chooses a number r;. Then, U; calculates HPW; = H(PW,; || ID; || r;) and sends { ID; , HPW; } to GWN. 

(R2-U) After receiving the request, GWN checks the legitimacy of ID; and refuses the request if JD; does not 
adapt to the requirement of user identity or is the same as an already registered identity in the 
verification table. Then, GWN computes TC; = H(Kgwn.v || ID; || TE; ) and PTC; = TC; @ HPW; . 
GWN stores ( ID; , TE; ) in the verification table. Finally, GWN publishes the card, which embraces 
{ H(:), y, TE;, PTC; } to U; 

(R3-U) U; computes HPW’; = H(h(ID; || PW; || ri) mod m ), where m is 2° < m < 2'° integer, which 
determines the capacity of the pool of < ID; , PW; > pairs against offline password guessing attacks 
[12]. Then, U; hoards r; and HPW ‘; into the card. 


The sensor registration process is described as follows: 


(R1-S) $; presents its identity SID; to GWN using a secure channel. 
(R2-S) GWN computes TC; = H( Kewy-s || SID; ) as the credential for S;. Then, GWN replies to S; with { TC; }. 
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(R3-S) After receiving the response, $; keeps TC. 


User U; GWN 
(IDi, PW;) (Kewn-u, Kewn-s) 
Chooses ID; and PW; ; 


4 
Generate ri ; 


HPW; = H(PW;||IDillr:) ; 


(IDi, HPW;) 
> 
TC; = H(Kewn-v||LDi\|TE;) ; 
PTC; = TC: 6 HPW; ; 
Store (ID;,TE;) ; 
Stores (H(-),y, TE;, PTC;) into smart card ; 
Smart card (H(-), y, T Ei, PTC;) 
< 
HPW? = H(h(ID;\|PW;||r;) mod m) ; 


Smart card (H(-),y,TE;, PTC;,r;,H PW!) into smart card ; 


Figure 1. Registration phase of Jiang et al.’s protocol 


2.2. Login Phase 
The following steps are performed in the system login phase. 
(L1) When U; wants to access S; , U; slots the smart card into a terminal and inputs ID; , PW;. 
(L2) The smart card calculates HPW’; = H( h(ID; || PW; || r;) mod m ). If the comparison HPW*; ? = HPW; is 
not the same, the card rejects the request. Otherwise, it continues to compute TC; = PTC; ® H(PW; ||ID; 
Il ri). 


2.3. Authentication Phase 
Subsequent to the login phase, the communicating agents ( U; , S;, and GWN ) mutually authenticate 
each other and establish a session key as follows. Figure 2 depicts these phases. 

(A1) U; selects a random number a EZ and calculates A; = aP, D; = ay = axP, DID; = ID; @ H( A; || D; ), 
and C; = H( ID; || TS; || D; || A;|| TC; ), where TS; is the timestamp of the current computing platform. 
Finally, U; forwards { DID;, A;, TS; , Ci } to GWN. 

(A2) On receiving { DID;, Ai, TS; , Ci }, GWN verifies the freshness of TS;. If TS; is not fresh, GWN refuses 
the request; otherwise, GWN calculates D; = xA = xaP, ID; = DID; ® H(A; || D; ), and TC; = H ( Kew-u 
|| ZD; || TE; ) and checks whether H( ID; || TS; || D; || A: || TC; ) is the same as C;. If these two values are 
not the same, GWN refuses the request; otherwise, GWN chooses a sensor $; and calculates TC; = 
A(Kewn.s || SID; ), DIDGwn =ID; @ H(DID; || TC || TS; ), and Cown =H( ID; || TC, || Aj || TS- ), where 
TS, is the timestamp of the current computing platform. Finally, GWN sends { TS; , DID; , DIDgwn , 
Cown » A; } to the S;. 

(A3) On receiving { TS; , DID; , DIDgwy , Cow , Ai }, S; checks the freshness of TS, . If TS, is invalid, S; 
rejects the request; otherwise, S; computes ID; = DIDgwy ® H( DID; || TC; || TS: ) and checks whether 
H( ID; || TC; ||Ai || TS2 ) and Cgwn are equal. If these two values are unequal, S; terminates the current 
session; otherwise, S; generates a random key b eZ p-1 and computes B; = bP, SK; = H( bA; ) = H(abP) , 
x C; = H(TC; || ID; || SID; || B; || TS; ), where TS; is the current timestamp. S; then sends { SID;, TS;, 

, B; } to GWN. 

(A4) A checking the legitimacy of TS;, GWN checks whether H( TC; ||ID; || SID; || B; ||TS; ) and C; are 
the same. If these two values are not equal, GWN stops the current session; othieřyise, GWN confinis 
that S; is authenticated. Finally, GWN calculates Egwy = H(ID; || TC; || D: || B; || TS4 ), where TS, is the 
timestamp of the current computing platform, and sends { SID; ,TS;, Bj, Egwn } to U;. 

(A5) After checking the freshness of TS,, U; computes and checks whether H( ID; || TC; || D: || B; || TS4 ) and 
Egwn are equal. If these two values are not the same, U; stops the current session; otherwise, U; confirms 
that S$; and GWN are authenticated. Finally, U; computes the shared session key SK; = H( aB; ) = 
H( abP ). 
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User U; GWN Sensor node S$; 
(IDi, PW;) (Kewn-vu, Kewn-s) (TC) 
inputs JD; and PW; ; 
TC; = PTC; @ H(PW;|H Dillr:) ; 
Generates a € Zp_, ; 
A; =aP; 
D; = ay = a2rP’; 
DID; = ID; 8 H(A;||Di) ; 
Ci = H(ID,||T S1||D;\|A;||TC,) ; 
M, = (DID,, A;,TS1, Ci) 


> 
Check T'S; ; 
B= 2A =gaP ; 
ID; = DID; $ H(Ai||D;) ; 
Check JD; and Retrieve TE; ; 

TC, = H(Kewvn-u llI DJT E:) ; 
Check H(ID;\||TS1||D;|| Ai||TS2) ; 
TC; = H(Kewn-s||SID;) ; 
DIDewn = ID; ® H(DID,||TC;\|TS2) ; 
Cewn = H(ID,||TC;||Ail|TS2) ; 

Mz = (TS2, DID;, DIDewn.Cawn. Ai) 


> 
Checks T'S2 ; 
ID; = DIDewn ® H(DID,||TC;||TS2) ; 
Check Cow n = A(ID,\|TC;||Ai||T S2) ; 
Generate b € Z$ ; 
Bj;=bP ; 
SKg = H(bA;) = H(abP) ; 
Ci = A(TC;||1Di||STD;\| B;\|TS3) 

My = (STD;,TS3,C;, B;) 
< 
Checks T S3; 

Check Cj 2 A(TC;\|LDi||STD;\|B;||T Ss) ; 

Eewn = A(LD,||TCi|| Dill By ||TS4) ; 

Ma = (SI Dj, T S4, Bj, Eaewn) 


< 
Check T S4 ; 
Check Egwwn 4 H(ID,\|TC;||Di\|B;\|TS4) ; 
SKi; = H(aB;) = H(abP) : 


Figure 2. Login and authentication phase of Jiang et al.’s protocol 


2.4. Password Change Phase 

(PC1) 1 If U; wants to update his/her own password, he or she inputs his/her own card into a terminal and 
enters ID; and PW; . Figure 3 shows the password change phase of Jiang et al.’s protocol 

(PC2) The smart card calculates H(h(ID; || PW; || r;) mod m ). If the equations HPW’; ? = HPW; are not the 
same, the card refuses the request. Otherwise, U; inputs the old PW; , selects a new PW’; , calculates 
PTC',=TC;® RPW,® H(r || PW’;), and replaces PTC; with PTC. 


User U; 
(ID;, PW;, PW) 


Insert smart card ; 

Input previous ID and PW ID;, PW; ; 

Compute H PW; = H(h(ID;||PW;||r;) mod m) ; 
Check H PW; 2 HPW; ; 

Input new PW PW; ; 

Compute PTC! = TC; @ RPW; ® H(r||PW)) ; 
Replace PTC; with PTC} ; 


Figure 3. Password change phase of Jiang et al.’s protocol 


3. CRYPTANALYSIS ON JIANG ET AL.’S TWO-FACTOR AUTHENTICATION PROTOCOL 
This paper analyzes Jiang et al.’s authentication protocol and determines various security 
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vulnerabilities, including a lack of mutual authentication, a risk of SID modulation and DoS attacks, a lack of 
sensor anonymity, and weak ID anonymity. 


3.1. Lack of Mutual Authentication 

Mutual authentication means that two or three parties authenticate each other. All of the parties 
(e.g., client/user, gateway, and sensors) are assured of the others’ identity. The user and gateway authenticate 
each other using ID; and TC, while the gateway and sensors authenticate each other using TC; and Cewy. 
However, mutual authentication between the user and sensors is not provided. The sensors can authenticate 
the user with the gateway’s help. However, the user cannot authenticate the sensors. Thus, the user cannot 
verify whether the sensor SID; is normal. 


3.2. Risk of SID Modification Attacks 

The user receives { SID; TS} B, Egwy } from GWN and checks the message’s accuracy and 
freshness. However, there is no information indicating that SID, in { SID, TS, B, Egwy } is now 
authenticated by GWN, so an attacker can perform a SID modification attack. When the attacker modifies the 
SID; in { SID; TS, B, Egwn } to SIDaracker, the user is unaware of the change. Therefore, the user mistakenly 
believes that S¥Danacker 1S a normal sensor node and thus computes the session key SK, for secure 
communication with SIDgracker even though the attacker cannot know the SK. Moreover, when SID; requests 
communication, the user cannot know whether SID, is an authenticated sensor node, so they cannot 
communicate with each other. 


3.3. Lack of Sensor Anonymity 

Anonymity is a desirable security feature, and it provides identification and key agreement of the 
user and sensors during the login and authentication phases. Thus, Jiang ef al.’s authentication protocol 
provides the user’s dynamic identification DID; to protect the user’s anonymity. Moreover, this protocol uses 
DIDgGwn to protect the gateway node’s identification. However, Jiang et al.’s authentication protocol does not 
provide anonymity of the sensor node. Therefore, an attacker can know which sensor node is communicating 
with users. In addition, the attacker can abuse the sensor node’s identification, because SID; can be easily 
known by the attacker. Therefore, the anonymity of sensor nodes needs to be provided. First, S; checks the 
freshness of TS. Then, if TS, is valid, S; computes ID; = DIDgwy ® H( DID; || TC; || TS: ) and checks 
whether H( ID; || TC; ||A; || TS2 ) and the received Cgwn are equal. 


3.4. DoS Attack 

A DoS attack is an attempt to make a machine or network resource unavailable so regular users 
cannot use the system’s resources. Although the methods, motives, and targets of DoS attacks may vary, they 
generally involve efforts to temporarily or indefinitely interrupt or suspend the services of a host connected to 
the Internet. In Jiang et al.’s authentication protocol, sensor nodes can verify the freshness of a message using 
TS». Therefore, when an attacker sends a previous message to the sensor node, the sensor node knows 
whether this message is a current message or a previous message. However, after an attacker gets the 
previous message { TS; , DID; , DIDgwn , Cow , Ai }, the attacker sends the message changing only TS, to 
the current timestamp. To check the legitimacy of the message, the sensor node needs to execute various 
computations, such as hash function (twice), verification function (twice), and timestamp checking (once). 
The sensor node has limited battery power and computational ability, so it is possible that a sensor node 
cannot perform its normal functions when an attacker executes a DoS attack on the sensor node. 


3.5. Weak ID Anonymity 

In Jiang et al.’s authentication protocol, the user can maintain the ID anonymity using DIDi. An 
attacker cannot compute ID; from DID,, because the attacker does not know H( A; || D; ) in DID; = ID; @ 
H( A; || D; ). However, ID; can be exposed in the sensor nodes gained by the attacker. The sensor nodes are 
scattered in various places, so the attacker can find the sensor nodes and obtain their authority. Therefore, the 
attacker can compute the user’s identity using ID; = DIDgwy ® H( DID; || TC; || TS2 ), because the sensor 
nodes know TC; which is shared in the sensor registration phase. Hence, the attacker can get ID; after gaining 
the sensor nodes, and the anonymity of this protocol is not strong. 


4. CONCLUSION 

Jiang et al. proposed a privacy-aware two-factor authentication protocol using ECC for WSNs. They 
insist that their protocol achieves various security and usability features necessary for real-life application 
environments while maintaining acceptable efficiency. However, this paper analyzed Jiang et al.’s protocol 
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and showed that this protocol has security vulnerabilities, such as a lack of mutual authentication, a risk of 
SID modification and DoS attacks, a lack of sensor anonymity, and weak ID anonymity. To solve these 
vulnerabilities, a security-enhanced privacy-aware two-factor authentication protocol using ECC for WSNs 
needs to be proposed. 
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